Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ansible changes for RH 7 and Python3 #278

Merged
merged 5 commits into from
Nov 30, 2020
Merged

Ansible changes for RH 7 and Python3 #278

Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
74fb722
Initial changes for python3 SELinux and python3-devel
amanda11 Nov 26, 2020
7be2807
Handle yum info failing as expected on RH 7
amanda11 Nov 26, 2020
ddbded5
Fix for when selinux is disabled
amanda11 Nov 27, 2020
d587460
Move libselinux-python3 to nginx role
amanda11 Nov 27, 2020
18b9119
Remove libselinux-python3
amanda11 Nov 27, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions roles/StackStorm.st2/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,54 @@
---
- name: Install python3 SELinux policies
become: yes
yum:
name: libselinux-python3
Copy link
Member

@arm4b arm4b Nov 27, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need libselinux-python3 dependency? I can't find any usage in StackStorm.st2 role.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It depends really on what python3 modules are used, ST2 itself doesn't need it, but there may be packs that import modules that need it given they are being moved from python2 -> 3, and therefore don't get the python3 selinux policies by default.

We could remove it, and then it would be up to the packs to ensure that they add the dependency if they need it.

I'm fine with either method.

Copy link
Member

@arm4b arm4b Nov 27, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That dependency is already installed in nginx role:

ansible-st2/roles/StackStorm.nginx/vars/redhat_8.yml

Lines 1 to 3 in 75193b9

selinux_dependencies:
- python3-libsemanage
- python3-libselinux

which is then used to adjust some security restrictions that may come by default in RHEL/CentOS

ansible-st2/roles/StackStorm.nginx/tasks/nginx_redhat.yml

Lines 81 to 95 in 75193b9

- name: Update SELinux facts after installing dependencies
become: yes
setup:
filter: ansible_selinux
when: nginx_selinux_dependencies.changed
tags: nginx, skip_ansible_lint
- name: Adjust SELinux to allow network access for nginx
become: yes
seboolean:
name: httpd_can_network_connect
state: yes
persistent: yes
when: ansible_facts.selinux.status == "enabled" and ansible_facts.selinux.mode == "enforcing"
tags: nginx

With that, we don't need it in st2 role, but may need to update the

ansible-st2/roles/StackStorm.nginx/vars/redhat.yml

Lines 1 to 3 in 75193b9

selinux_dependencies:
- libsemanage-python
- libselinux-python

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks - that's a better place to put it. Will move it to Nginx role.

state: present
register: _task
retries: 5
delay: 3
until: _task is succeeded
when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '7' and ansible_selinux.status == "enabled" and ansible_selinux.mode == "enforcing"
tags: st2

- name: Verify python3-devel is available in enabled repo
become: yes
shell:
cmd: yum info python3-devel
changed_when: false
register: _rpm_check
args:
warn: False
ignore_errors: yes
when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '7'
# Disable warning as yum doesn't support info
tags: st2, skip_ansible_lint

- name: Discover name of optional server rpm
become: yes
shell:
cmd: yum repolist disabled 2> /dev/null | awk -F'/' '/rhel-7-server-rhui-optional-rpms|rhui-REGION-rhel-server-optional|rhel-7-server-optional-rpms/{print $1}'
changed_when: false
register: _reponame
args:
warn: False
when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '7' and _rpm_check.rc != 0
# Disable warning as yum doesn't support repolist
tags: st2, skip_ansible_lint

- name: Install python3-devel
become: yes
yum:
name: python3-devel
state: present
enablerepo: "{{ _reponame.stdout }}"
register: _task
retries: 5
delay: 3
until: _task is succeeded
when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '7' and _rpm_check.rc != 0
tags: st2

- name: Install latest st2 package, auto-update
become: yes
package:
Expand Down